This site may earn affiliate commissions from the links on this page. Terms of use.

SAN FRANCISCO--Researchers were able to use application-specific passwords to bypass Google's two-factor authentication and gain full control over a user's Gmail account.

The 2013 RSA Security Conference begins in earnest tomorrow morning, but many of the conference attendees were already milling around in San Francisco's Moscone Center to take in talks at the Cloud Security Alliance Summit and the Trusted Computing Group Panel. Others struck up conversations on a wide assortment of security-related topics with other attendees. This morning's post from Duo Security on how researchers had found a way to bypass Google's two-factor authentication was a common topic of discussion this morning.

Google allows users to turn on two-factor authentication on their Gmail account for stronger security and generate special access tokens for applications that don't support two-step verification. Researchers at Duo Security found a way to abuse those special tokens to completely circumvent the two-factor process, wrote Adam Goodman, principal security engineer at Duo Security. Duo Security notified Google of the issues, and the company has "implemented some changes to mitigate the most serious of the threats," Goodman wrote.

"We think it's a rather significant hole in a strong authentication system if a user still has some form of 'password' that is sufficient to take over full control of his account," Goodman wrote.

However, he also said that having two-factor authentication, even with this flaw, was "unequivocally better" than just relying on a normal username/password combination.

The Issue With ASPsTwo-factor authentication is a good way to secure user accounts, since it requires something you know (the password) and something you have (a mobile device to get the special code). Users who have turned on two-factor on their Google accounts need to enter their normal login credentials, and then the special one-use password displayed on their mobile device. The special password may be generated by an app on the mobile device or sent via SMS message, and is device specific. This means the user doesn't need to worry about generating a new code every single time they log in, but every single time they log in from a new device. However, for additional security, the authentication code expires every 30 days.

Great idea and implementation, but Google had to make "a few compromises," such as application-specific passwords, so that users could still use applications that don't support two-step verification, Goodman noted. ASPs are specialized tokens generated for each application (hence the name) that users enter in place of the password/token combination. Users can use ASPs for email clients such as Mozilla Thunderbird, chat clients such as Pidgin, and calendar applications. Older Android versions also don't support two-step, so users had to use ASPs to sign in to older phones and tablets. Users could also revoke access to their Google account by disabling that application's ASP.

Duo Security discovered that ASPs actually weren't application-specific, after all, and could do more than just grabbing email over the IMAP protocol or calendar events using CalDev. In fact, one code could be used to log in to almost any of the Google's Web properties thanks to a new "auto-login" feature introduced in recent Android and Chrome OS versions. Auto-login allowed users who linked their mobile devices or Chromebooks to their Google accounts to automatically access all Google-related pages over the Web without ever seeing another login page.

With that ASP, someone could go straight to the “Account recovery page” and edit email addresses and phone numbers where password-reset messages are sent.

"This was enough for us to realize that ASPs presented some surprisingly-serious security threats," Goodman said.

Duo Security intercepted an ASP by analyzing requests sent from an Android device to Google servers. While a phishing scheme to intercept ASPs would likely have a low rate of success, Duo Security speculated that malware could be designed to extract ASPs stored on the device or take advantage of poor SSL certificate verification to intercept ASPs as part of a man-in-the-middle attack.

While Google's fixes address the problems found, "we'd love to see Google implement some means to further-restrict the privileges of individual ASPs," Goodman wrote.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »